{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# T1218.004 - Signed Binary Proxy Execution: InstallUtil",
    "\n",
    "Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: <code>C:\\Windows\\Microsoft.NET\\Framework\\v<version>\\InstallUtil.exe</code> and <code>C:\\Windows\\Microsoft.NET\\Framework64\\v<version>\\InstallUtil.exe</code>.\n\nInstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute <code>[System.ComponentModel.RunInstaller(true)]</code>. (Citation: LOLBAS Installutil)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Atomic Tests"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "#Import the Module before running the tests.\n# Checkout Jupyter Notebook at https://github.com/haresudhan/TheAtomicPlaybook to run PS scripts.\nImport-Module /Users/0x6c/AtomicRedTeam/atomics/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1 - Force"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #1 - CheckIfInstallable method call\nExecutes the CheckIfInstallable class constructor runner instead of executing InstallUtil. Upon execution, the InstallUtil test harness will be executed.\nIf no output is displayed the test executed successfuly.\n\n**Supported Platforms:** windows\n#### Dependencies:  Run with `None`!\n##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})\n\n##### Check Prereq Commands:\n```None\nif (Test-Path \"PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1\") {exit 0} else {exit 1}\n\n```\n##### Get Prereq Commands:\n```None\nNew-Item -Type Directory (split-path PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1) -ErrorAction ignore | Out-Null\nInvoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile \"PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1\"\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1218.004 -TestNumbers 1 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `powershell`\n```powershell\n# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1\n\n$InstallerAssemblyDir = \"$Env:TEMP\\\"\n$InstallerAssemblyFileName = \"T1218.004.dll\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$ExpectedOutput = 'Constructor_'\n\n$TestArgs = @{\n    OutputAssemblyDirectory = $InstallerAssemblyDir\n    OutputAssemblyFileName = $InstallerAssemblyFileName\n    InvocationMethod = 'CheckIfInstallable'\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly\n\nif ($ActualOutput -ne $ExpectedOutput) {\n    throw @\"\nCheckIfInstallable method execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1218.004 -TestNumbers 1"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #2 - InstallHelper method call\nExecutes the InstallHelper class constructor runner instead of executing InstallUtil. Upon execution, no output will be displayed if the test\nexecuted successfuly.\n\n**Supported Platforms:** windows\n#### Dependencies:  Run with `None`!\n##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})\n\n##### Check Prereq Commands:\n```None\nif (Test-Path \"PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1\") {exit 0} else {exit 1}\n\n```\n##### Get Prereq Commands:\n```None\nNew-Item -Type Directory (split-path PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1) -ErrorAction ignore | Out-Null\nInvoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile \"PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1\"\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1218.004 -TestNumbers 2 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `powershell`\n```powershell\n# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1\n\n$InstallerAssemblyDir = \"$Env:TEMP\\\"\n$InstallerAssemblyFileName = \"T1218.004.dll\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/logfile= /logtoconsole=false `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_'\n\n$TestArgs = @{\n    OutputAssemblyDirectory = $InstallerAssemblyDir\n    OutputAssemblyFileName = $InstallerAssemblyFileName\n    InvocationMethod = 'InstallHelper'\n    CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly\n\nif ($ActualOutput -ne $ExpectedOutput) {\n    throw @\"\nInstallHelper method execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1218.004 -TestNumbers 2"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #3 - InstallUtil class constructor method call\nExecutes the installer assembly class constructor. Upon execution, version information will be displayed the .NET framework install utility.\n\n**Supported Platforms:** windows\n#### Dependencies:  Run with `None`!\n##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})\n\n##### Check Prereq Commands:\n```None\nif (Test-Path \"PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1\") {exit 0} else {exit 1}\n\n```\n##### Get Prereq Commands:\n```None\nNew-Item -Type Directory (split-path PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1) -ErrorAction ignore | Out-Null\nInvoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile \"PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1\"\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1218.004 -TestNumbers 3 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `powershell`\n```powershell\n# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1\n\n$InstallerAssemblyDir = \"$Env:TEMP\\\"\n$InstallerAssemblyFileName = \"T1218.004.dll\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/logfile= /logtoconsole=false `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_'\n\n$TestArgs = @{\n    OutputAssemblyDirectory = $InstallerAssemblyDir\n    OutputAssemblyFileName = $InstallerAssemblyFileName\n    InvocationMethod = 'Executable'\n    CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly\n\nif ($ActualOutput -ne $ExpectedOutput) {\n    throw @\"\nInstallUtil class constructor execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1218.004 -TestNumbers 3"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #4 - InstallUtil Install method call\nExecutes the Install Method. Upon execution, version information will be displayed the .NET framework install utility.\n\n**Supported Platforms:** windows\n#### Dependencies:  Run with `None`!\n##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})\n\n##### Check Prereq Commands:\n```None\nif (Test-Path \"PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1\") {exit 0} else {exit 1}\n\n```\n##### Get Prereq Commands:\n```None\nNew-Item -Type Directory (split-path PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1) -ErrorAction ignore | Out-Null\nInvoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile \"PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1\"\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1218.004 -TestNumbers 4 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `powershell`\n```powershell\n# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1\n\n$InstallerAssemblyDir = \"$Env:TEMP\\\"\n$InstallerAssemblyFileName = \"T1218.004.dll\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/logfile= /logtoconsole=false /installtype=notransaction /action=install `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_Install_'\n\n$TestArgs = @{\n    OutputAssemblyDirectory = $InstallerAssemblyDir\n    OutputAssemblyFileName = $InstallerAssemblyFileName\n    InvocationMethod = 'Executable'\n    CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs\n\nif ($ActualOutput -ne $ExpectedOutput) {\n    throw @\"\nInstallUtil Install method execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1218.004 -TestNumbers 4"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #5 - InstallUtil Uninstall method call - /U variant\nExecutes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility.\n\n**Supported Platforms:** windows\n#### Dependencies:  Run with `None`!\n##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})\n\n##### Check Prereq Commands:\n```None\nif (Test-Path \"PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1\") {exit 0} else {exit 1}\n\n```\n##### Get Prereq Commands:\n```None\nNew-Item -Type Directory (split-path PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1) -ErrorAction ignore | Out-Null\nInvoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile \"PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1\"\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1218.004 -TestNumbers 5 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `powershell`\n```powershell\n# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1\n\n$InstallerAssemblyDir = \"$Env:TEMP\\\"\n$InstallerAssemblyFileName = \"T1218.004.dll\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/logfile= /logtoconsole=false /U `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_Uninstall_'\n\n$TestArgs = @{\n    OutputAssemblyDirectory = $InstallerAssemblyDir\n    OutputAssemblyFileName = $InstallerAssemblyFileName\n    InvocationMethod = 'Executable'\n    CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs\n\nif ($ActualOutput -ne $ExpectedOutput) {\n    throw @\"\nInstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1218.004 -TestNumbers 5"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #6 - InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant\nExecutes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility.\n\n**Supported Platforms:** windows\n#### Dependencies:  Run with `None`!\n##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})\n\n##### Check Prereq Commands:\n```None\nif (Test-Path \"PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1\") {exit 0} else {exit 1}\n\n```\n##### Get Prereq Commands:\n```None\nNew-Item -Type Directory (split-path PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1) -ErrorAction ignore | Out-Null\nInvoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile \"PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1\"\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1218.004 -TestNumbers 6 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `powershell`\n```powershell\n# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1\n\n$InstallerAssemblyDir = \"$Env:TEMP\\\"\n$InstallerAssemblyFileName = \"T1218.004.dll\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/logfile= /logtoconsole=false /installtype=notransaction /action=uninstall `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_Uninstall_'\n\n$TestArgs = @{\n    OutputAssemblyDirectory = $InstallerAssemblyDir\n    OutputAssemblyFileName = $InstallerAssemblyFileName\n    InvocationMethod = 'Executable'\n    CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs\n\nif ($ActualOutput -ne $ExpectedOutput) {\n    throw @\"\nInstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1218.004 -TestNumbers 6"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #7 - InstallUtil HelpText method call\nExecutes the Uninstall Method. Upon execution, help information will be displayed for InstallUtil.\n\n**Supported Platforms:** windows\n#### Dependencies:  Run with `None`!\n##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})\n\n##### Check Prereq Commands:\n```None\nif (Test-Path \"PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1\") {exit 0} else {exit 1}\n\n```\n##### Get Prereq Commands:\n```None\nNew-Item -Type Directory (split-path PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1) -ErrorAction ignore | Out-Null\nInvoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile \"PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1\"\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1218.004 -TestNumbers 7 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `powershell`\n```powershell\n# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1\n\n$InstallerAssemblyDir = \"$Env:TEMP\\\"\n$InstallerAssemblyFileName = \"T1218.004.dll\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/? `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_HelpText_'\n\n$TestArgs = @{\n    OutputAssemblyDirectory = $InstallerAssemblyDir\n    OutputAssemblyFileName = $InstallerAssemblyFileName\n    InvocationMethod = 'Executable'\n    CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs\n\nif ($ActualOutput -ne $ExpectedOutput) {\n    throw @\"\nInstallUtil HelpText property execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1218.004 -TestNumbers 7"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #8 - InstallUtil evasive invocation\nExecutes an InstallUtil assembly by renaming InstallUtil.exe and using a nonstandard extension for the assembly. Upon execution, \"Running a transacted installation.\"\nwill be displayed, along with other information about the opperation. \"The transacted install has completed.\" will be displayed upon completion.\n\n**Supported Platforms:** windows\n#### Dependencies:  Run with `None`!\n##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})\n\n##### Check Prereq Commands:\n```None\nif (Test-Path \"PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1\") {exit 0} else {exit 1}\n\n```\n##### Get Prereq Commands:\n```None\nNew-Item -Type Directory (split-path PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1) -ErrorAction ignore | Out-Null\nInvoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile \"PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1\"\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1218.004 -TestNumbers 8 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `powershell`\n```powershell\n# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. PathToAtomicsFolder\\T1218.004\\src\\InstallUtilTestHarness.ps1\n\n$InstallerAssemblyDir = \"$Env:windir\\System32\\Tasks\"\n$InstallerAssemblyFileName = 'readme.txt'\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"readme.txt\"\n$ExpectedOutput = 'Constructor_'\n\n# Explicitly set the directory so that a relative path to readme.txt can be supplied.\nSet-Location \"$Env:windir\\System32\\Tasks\"\n\nCopy-Item -Path \"$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())InstallUtil.exe\" -Destination \"$Env:windir\\System32\\Tasks\\notepad.exe\"\n\n$TestArgs = @{\n    OutputAssemblyDirectory = $InstallerAssemblyDir\n    OutputAssemblyFileName = $InstallerAssemblyFileName\n    InvocationMethod = 'Executable'\n    CommandLine = $CommandLine\n    InstallUtilPath = \"$Env:windir\\System32\\Tasks\\notepad.exe\"\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly\n\nif ($ActualOutput -ne $ExpectedOutput) {\n    throw @\"\nEvasive Installutil invocation test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1218.004 -TestNumbers 8"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Detection",
    "\n",
    "Use process monitoring to monitor the execution and arguments of InstallUtil.exe. Compare recent invocations of InstallUtil.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after the InstallUtil.exe invocation may also be useful in determining the origin and purpose of the binary being executed."
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": ".NET (PowerShell)",
   "language": "PowerShell",
   "name": ".net-powershell"
  },
  "language_info": {
   "file_extension": ".ps1",
   "mimetype": "text/x-powershell",
   "name": "PowerShell",
   "pygments_lexer": "powershell",
   "version": "7.0"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}